我正在查看的程序正在调用VirtualProtect,以使代码块进入RW-> RWE,但结果似乎是在将地址作为参数传递之前,保护扩展到4个字节。我检查了MSDN,并说在大小上有t VirtualProtect的舍入/边界扩展,但是没有具体说明扩展如何在页面之间传播。
有信心这就是正在发生的事情,但我想查看特定段的内存许可权以进行确认。调用VP后,似乎内存映射没有刷新,而且我找不到其他位置来显示内存权限。在WinDbg上,我可以执行!vprot之类的操作,因此我很好奇这里是否存在类似的操作。
#1 楼
如果传递给VirtualProtect的地址位于分配的第一个页面中,则更改保护属性时,ollydbg 1.10
会自动刷新内存窗口。将完整分配的大小显示为一个连续的转储windbg
!vprot
仅在ollydbg 2.01
的内存窗口中逐页遍历时才会显示修改的保护属性。页面自动运行示例
int _tmain(int argc, _TCHAR* argv[])
{
printf("lets valloc \n");
PCHAR foo;
foo = (PCHAR)VirtualAlloc(0,0x1004,MEM_COMMIT,PAGE_READONLY);
printf("we valloced lets vprot\n");
DWORD oldprot;
if ( (VirtualProtect(foo+0x1000,1,PAGE_EXECUTE_READWRITE,&oldprot) == FALSE) )
{
printf("our vprot failed\n");
return FALSE;
}
if ( (VirtualProtect(foo+0xfff,1,PAGE_EXECUTE_READWRITE,&oldprot) == FALSE) )
{
printf("our vprot failed\n");
return FALSE;
}
printf("we vprotted fine \n");
return 0;
}
ollydbg 1.10内存窗口在VirtualAlloc之后和在第一个Virtualprotect之后,显示将相同。 >仅在第二次VirtualProtect之后显示会更改
Memory map, item 19
Address=003A0000
Size=00002000 (8192.)
Owner= 003A0000 (itself)
Section=
Type=Priv 00021002
Access=R
Initial access=R
第二次Virtualprotect之后
Memory map, item 19
Address=003A0000
Size=00002000 (8192.)
Owner= 003A0000 (itself)
Section=
Type=Priv 00021040
**Access=RWE**
Initial access=R
windbg将显示更改的属性仅当逐页遍历
0:000> g
ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
Breakpoint 0 hit
> 8: {
0:000> p
> 9: printf("lets valloc \n");
0:000> p
> 11: foo = (PCHAR)VirtualAlloc(0,0x1004,MEM_COMMIT,PAGE_READONLY);
0:000> p
> 12: printf("we valloced lets vprot\n");
0:000> ?? foo
char * 0x003a0000
""
0:000> !vprot @@c++(foo)
BaseAddress: 003a0000
AllocationBase: 003a0000
AllocationProtect: 00000002 PAGE_READONLY
RegionSize: 00002000
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
Type: 00020000 MEM_PRIVATE
0:000> p
> 14: if ( (VirtualProtect(foo+0x1000,1,PAGE_EXECUTE_READWRITE,&oldprot) == FALSE) )
0:000> p
> 19: if ( (VirtualProtect(foo+0xfff,1,PAGE_EXECUTE_READWRITE,&oldprot) == FALSE) )
0:000> !vprot @@c++(foo)
BaseAddress: 003a0000
AllocationBase: 003a0000
AllocationProtect: 00000002 PAGE_READONLY
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
Type: 00020000 MEM_PRIVATE
0:000> !vprot (@@c++(foo)+1000)
BaseAddress: 003a1000
AllocationBase: 003a0000
AllocationProtect: 00000002 PAGE_READONLY
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000040 PAGE_EXECUTE_READWRITE
Type: 00020000 MEM_PRIVATE
ollydbg 2.01会显示任何更改都会立即记下内存映射项编号和地址
Memory map, item 19
Address = 003A0000
Size = 00002000 (8192.)
Owner = 003A0000 (self)
Section =
Contains =
Type = Priv 00021002
Access = R
Initial access = R
Mapped as =
在第一次Virtualprotect之后
Memory map, item 20
Address = 003A1000
Size = 00001000 (4096.)
Owner = 003A0000
Section =
Contains =
Type = Priv 00021040
Access = RWE
Initial access = R
Mapped as =
#2 楼
我认为在Olly(禁止插件)中没有另一种方法,但是您可以使用上下文菜单中的“ Actualize”刷新地图。权限仅适用于整页,因此您传递的任何地址都将被四舍五入,并且大小将四舍五入到页面边界(1000十六进制)。